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(57) Abstract: A system (10) for protecting information 
over the Internet (16), or other public network, is provided 
at a web site addressable by one or more client computer 
systems (18). Each client computer system connects to 
the web site to receive a respondent identifier and viewer 
software. A unique viewer identifier is generated by the 
viewer software at the client computer system (18) and 
sent to the web site for registering the viewer identifier 
with the respondent identifier. The web site has a database 
(20) and one or more web servers (12, 13, 14, 15) coupled 
to the database. The database (20) stores registration 
information including the viewer identifier and associated 
respondent identifiers for the client computer systems (18), 
encrypted content information files and keys to decrypt 
such files, survey invitation information for each of the 
surveys, and exposure limit information. In response to 
receiving a survey in accordance with an invitation, the 
client computer system (18) enables the content viewer 
to connect to the web site of the content protection system 
(10) and download a file with the encrypted content 
information for that survey. The viewer software then sends 
a request to the content protection system (10) for a key 
to decrypt the downloaded content information file. The 
content protection system (10) determines, based on the 
respondent, viewer and survey identifiers and associated 
exposure limit information, whether to send a decryption 
key. If so, a decryption key is sent to the client computer system (18) and the viewer uses the key to decrypt the encrypted content 
information file, and then opens a viewer window to show the decrypted content information on the display of the computer 
system (18). During viewing on the computer system (18), the viewer limits access to the window showing the displayed content 
information which would typically allow the user to access information and enable copying. 
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SYSTEM FOR PROTECTING INFORMATION OVER THE INTERNET 

Description 

5 This application claims the benefit of priority to U.S. Provisional Patent Application 

No. 60/146,691, filed August 2, 1999, which is herein incorporated by reference. 

Field of the Invention 
The present invention relates to a system (and method) for protecting information 

10 over the Internet or other public networks, and relates particularly to, a system for protecting 
the viewing of information at a computer system which is connected over the Internet to the 
system. The invention is especially suitable for conducting surveys over the Internet via a 
computer in which part of the survey viewed on the display of the computer must be 
protected from unauthorized viewing and copying. The invention may also be applied to any 

1 5 other application where viewing of information at a computer requires authorization and 

protection from copying, where rights to limited viewing of the information are received via 
the Internet. Viewing is generally defined herein as displaying graphics, text, video, or other 
information with any accompanying audio. 



20 Background of the Invention 

Conventionally, surveys or polls are a series of questions on a form presented to 
individuals, called voters, to sample the views of people in a given region or country for 
political, commercial or entertainment purposes. Surveys are typically conducted either in 
person, mail, or via telephone to a great number of individual voters. With the development 

25 of the Internet and its growing widespread use, surveys can now be taken by persons at their 
computer. For example, a system for conducting surveys over the Internet are described in 
U.S. Patent Application 09/243,064, filed February 2, 1999, and International Patent 
Application No. PCT/US00/02623, filed February 2, 2000. Often surveys are used to test 
concepts, such as the packaging of a new food product, before companies make an 

30 investment in the product or to determine the best way to advertise the product. It is 

important in concept test surveys that the information used to convey the content of the 
concept be prevented from view by competitors who could use the information to the 
disadvantage of the company supporting the survey. This is easy in conventional surveys 
where the viewed information is provided in a protected environment of in-person polling. 

35 However, in surveys conducted over the Internet, the environment of the typical web browser 
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computer using a plurality of identifiers before the client computer can receive a key to 
decrypt the content file. 

A further feature of the present invention is to provide an improved system for 
protecting information in which a computer receiving a content file has focus control to 
5 protect displayed information from the content file from being readily accessed and thereby 
copied. 

Briefly described, the content protection system embodying the present invention 
includes a web site addressable by one or more client computer systems for connecting to the 
content protection system over the Internet or other public network. Each client computer 

10 system connects to the web site and receives a respondent identifier and viewer software. 
When the viewer software is installed at the client computer system, it generates a unique 
viewer identifier identifying the client computer system. The viewer identifier is sent to the 
web site for registering the viewer identifier with the respondent identifier. The web site has a 
database and one or more web servers coupled to the database. The database stores 

1 5 registration information including the viewer identifier and associated respondent identifiers 
for the client computer systems, encrypted content information files and keys to decrypt such 
files, survey invitation information for each of the surveys, and exposure limit information to 
determine whether content information can be viewed by a client computer system. Based on 
the survey invitation information, if the user of the client computer system has been selected 

20 to participate in a survey, the client computer system receives an E-mail invitation to 

participate including a unique survey identifier associated with the survey and the respondent 
identifier of the client computer system. The survey may represent any program which 
requires content information to be viewed in a secure environment. In response to receiving a 
survey, in accordance with the E-mail invitation, from the web site, or another web site, the 

25 client computer system enables the content viewer to connect to the web site of the content 

protection system and download a file with the encrypted content information for that survey. 
The downloaded file has no associated information regarding usage of the file by the client 
computer system. The encrypted content information is identified by a unique content 
identifier. The encrypted file may alternatively be provided from another source on the client 

30 computer system, such as a disk or CDROM. The viewer software sends a request to the 

content protection system for a key to decrypt the downloaded content information file, and 
includes in the request the respondent, viewer, survey, and content identifiers. The content 
protection system determines whether the respondent, viewer and survey identifiers match 
corresponding identifiers of the participants invited to take the survey stored in the database 
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Detailed Description of the Invention 
Referring to FIG. 1, the system 10 of the present invention is shown having multiple 
web servers 12, 13, 14, and 15 at a web site which are capable of establishing a network 
connection over the Internet 16 or other public network with one or more client computer 
5 systems 18. Client computer system 1 8 represents a desktop, laptop, WebTV, or other 
computer system having typical web browser software, such as Microsoft Explorer or 
NetScape Navigator, and network interface, such as a modem, or T1/T2 data line to an 
Internet Service Provider, for communicating to web sites at Internet addresses associated 
with such sites. The web servers 12-15 are connected to a LAN 17 and have access to 

10 database 20. The Download and Register Content Viewer server 12 is coupled to the Internet 
16 and has an Internet address or URL enabling a user at client computer system 18 to 
connect to the web server 1 2 and download a file referred to as content viewer software. The 
Registration server 13 updates and maintains registration information in the database 20 
identifying the client computer system and installed content viewer software at the client 

15 computer system. The Content Encryption server 14 provides for assigning a unique 

identifier to each content file representing information, such as an image, text, video, audio, 
or animation, encrypting the content file, determining a decryption key for the encrypted 
content file, and storing the content file at a URL on the server 14 or another web site on the 
Internet. The server 14 also allows a client computer system 1 8 to receive an encrypted 

20 content file at the URL associated with the file. The Key server 15 has a URL addressable by 
the viewer software installed at the client computer system 18 to request the decryption key 
associated with a downloaded encrypted file. The database 20 stores in addition to 
registration information and information about each encrypted content file, exposure limit 
information on the rules regarding when the content may be viewed and how many times the 

25 content may be viewed at a client computer system, and survey and invitation information 
defining the survey requiring viewing of content files and the participants (registered client 
computer systems) selected for each survey, as will be described later in connection to FIG. 
3. The database 20 may be stored in memory, such as the hard drive or RAM, of a computer 
or another server, or may be contained in memory of one of servers 12-15. 

30 One or more administrative computers represented by computer 21 can be coupled to 

LAN 17. The administrative computer 21 can send content files to the content encryption 
server 14 for encryption, and update the database with regards to the survey, invitation 
information and exposure limit information. 
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The SurveyContent table 24 has two data fields, SurveylD and ContentlD. Each 
record in the SurveyContent table links a particular survey having the SurveylD to an 
encrypted content file having the ContentlD. The Exposure Limit Table 25 has records with 
the following data fields: ContentlD; SurveylD; EndDate, the last date which the encrypted 
5 file associated with the ContentlD of the record can be viewed; EndHour, the time (hour and 
minute) on the EndDate when the encrypted file associated with the ContentlD of the record 
can no longer be viewed; StartDate, the first date which the encrypted file of the ContentlD 
of the record can be viewed; StartHour, the time (hour and minute) on the StartDate when the 
encrypted file associated with the ContentlD of the record can be viewed; and No Viewing, a 

10 number indicating the number of times the encrypted file associated with the ContentlD can 
be viewed by a client computer system. The View Content table 26 has records with the 
following data fields: ContentlD; SurveylD; RespondentID; and Count, the number of times 
the client computer system associated with the RespondentID has viewed the content file 
associated with the ContentlD for the survey associated with the SurveylD of this record. The 

15 Survey table 27 has three data fields: SurveylD; SurveyURL, the network address of the 

survey at the survey server; and SurveyName, the name of the survey. The Content table 28 
has records with the following data fields: ContentlD; ContentName, the name of the 
encrypted content file associated with the ContentlD of this record; and Unlocking Key, the 
decryption key associated with the encrypted content file associated with the ContentlD of 

20 this record; ContentURL, the network address where the encrypted content file of the 
ContentlD of this record can be accessed. The Invitation Table 29 has records with the 
following data fields: RespondentID; SurveylD; ViewerDD; Survey Complete, the date and 
time when the survey associated with the SurveylD was completed at the client computer 
system having the RespondentID and associated ViewerlD; and Survey Start, the date and 

25 time when the survey associated with the SurveylD was started at the client computer system 
having the RespondentID for the associated viewer software ViewerlD. The Respondent 
Table 30 has records with the following data fields: RespondentID; ViewerlD associated with 
the RespondentID; and E-mail, the E-mail address of the RespondentID. In the example of 
tables 25-30 shown in FIG. 3, each of the types of different data fields are indicated by 'T' for 

30 an integer number, "D" for date, *T" for time, "VA" for variable alphanumeric followed by a 
number indicating the maximum character length, and "A32", for a fixed length 
alphanumeric of 32 characters. The database tables 25-30 will further be described in 
connection with FIGS. 5 and 7. 
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content viewer software, the content control system 10 sends from server 12 to the client 
computer system of a user an E-mail invitation to participate in a survey in the future with the 
URL of the server 12 (step 38), as shown in FIG. 5. Each E-mail invitation contains a 
RespondentlD. The URL of server 12 enables the web browser of the client computer system 
5 18 to link to a page at server 12 which enables the user to send a request to download of the 
content viewer software (step 39). This request includes the RespondentlD received via the 
E-mail Invitation. In response to receiving the request, server 12 sends the content viewer 
program with an installation program (step 40). The client computer system 18 receives the 
content viewer and installation software, and the installation program of the viewer is 

10 manually executed by the user at the client computer system 1 8 to install the viewer in 

memory of the computer, such that it can be called when needed by a survey received from 
the survey server 22 (step 41). The installation program registers the content viewer in the 
Windows registry of the client computer system with a specific application type so a file with 
the same extension can invoke the viewer. The registration process generates a unique 

1 5 ViewerlD to identify the client computer system 1 8, such as described below. After 

installation of the viewer, the E-mail invitation asks the client computer user to register the 
content viewer with server 12 by browsing to a URL, or via a dialog box which appear at the 
end of the viewer installation, to complete the registration. By connecting to this URL, the 
ViewerlD is sent to server 12 to be stored (registered) in a record of the Respondent table 30 

20 of the database with the RespondentlD received in the E-mail invitation (step 42). The user is 
also asked during registration for their E-mail address and any other information to be stored 
in this record. 

The ViewerlD may be generated by a call to the Win32 system API CoCreateGUDD. 
The ViewerlD is generated to uniquely identify the client computer system 1 8, and may be 

25 based on: the current date and time, a clock sequence and related persistent state to deal with 
retrograde motion of clocks, a forcibly incremented counter to deal with high-frequency 
allocations, and the truly globally unique IEEE machine identifier, obtained from a network 
card, or other highly variable machine states. Thus, the registration process now ties together, 
in Respondent table 30 of database 20, the user's original E-mail address, the RespondentlD 

30 sent to the user at the start of the registration process, and the ViewerlD generated during 

viewer installation. If the user changes his E-mail address, the user must re-register his copy 
of the viewer, as described above. 

Referring to FIG. 6, the client computer system 18 and installed content viewer 
software 44 is shown. The client computer system 1 8 operates on the window operating 
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the user through regular mail or other advertising media. The invitation contains a network 
address of the survey server which references the SurveylD of the survey. In the case where 
an E-mail invitation is used, the address may be in an embedded hyperlink upon which the 
user clicks upon to contact the survey server and receive the HTML page with the survey. 
5 The Respondent© may be an embedded as a parameter in the URL, or the opening dialog 
box of the survey may request it from the user. (The RespondentID may have been given to 
the user, such as by display to the user, at the earlier described registration process). Upon 
receipt of the survey, the web browser of the client computer system operates in accordance 
with the HTML code of the survey to enable the viewer, which then sends a request to the 

10 web site of the content protection system for the encrypted files based upon the SurveylD 

(step 57). In response, the content protection system, such as server 14, queries for all records 
of the SurveyContent table having the SurveylD and locates the ContentID associated with 
the SurveylD. In addition, the SurveyStart field of the record of the Invitation table for the 
RespondentID is updated with the current date and time to show that the survey has 

1 5 commenced. The record of the Content table having the ContentID is then accessed to locate 
the URL where the encrypted content information file will be found. This URL points to a 
file which contains the location of the encrypted content. This encrypted content file is then 
downloaded from this URL address to the client computer system, via the content viewer, at 
the client computer system (step 58). If multiple records were located in the Content table for 

20 the SurveylD, each encrypted content file is separately downloaded to the client computer 
system immediately prior to processing. 

After receiving the downloaded file, the HTML code for the survey (or the content 
viewer) operates the viewer to send a request, via the Internet, to the Key server 15 (FIG. 1) 
for the decryption key for the downloaded file (step 59). The request includes the 

25 RespondentID and ViewerlD which was stored with the viewer when installed, the SurveylD 
of the survey, and the ContentID of the encrypted content file. 

At steps 60-61, the Key server 15 receives, via the Internet 16, the request from the 
client computer system 18, and sends the decryption key from the record of the Content table 
28 having the ContentID to the client computer system requesting the key if the Key server: 

30 1) can locate the RespondentID, SurveylD and ViewerlD of the request in the same 

record of the Invitation table 29; 

2) the current date and time is within the specified time period, i.e., date and time 
range (StartDate, StartHour, and EndDate, EndHour), of the record of the Exposure Limit 
table 25 for the ContentID and SurveylD of the request; 
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notice or other message. Play of display resumes when the viewer again receives focus, such 
as by the user clicking, via the mouse, on the viewer window. 

After viewing is completed, the user can close the viewer window and proceed to 
answer the questions of the survey. The user submits the answers by clicking on a button on 
5 the survey page, which sends the answers to the survey server and a message to the content 
protection system, i.e., Key server, that the survey was completed with the RespondentID, 
SurveyBD and ViewerK). The survey complete field of the record in the Invitation table 29 
having the RespondentID, SurveylD and ViewerlD is updated with the date and time the 
message was received. 

10 Upon receiving a survey invitation, if the client computer system 1 8 cannot call the 

content viewer software (since it has not been installed), the HTML code of the survey will 
not operate. The Key server 1 5 will allow the installation and registration of the content 
viewer. However, the client computer system 1 8 will still not decrypt the content for this 
particular survey, since there will be no corresponding record in the Invitation table of 

1 5 database 20. Once registered, the client computer system 1 8 may receive future invitations to 
participate in surveys with protected content that the user will be able to complete 
successfully. 

In this manner, user interaction with the client computer system 18, via its user 
interface, is limited during display by the viewer to prevent access to the decrypted content 

20 file, and thereby possibly unauthorized electronic copying or printing. As the focus control 
limits access, no specific usage control information, defining how the content file may be 
used at the client computer, need be associated or attached with each content file in the client 
computer system, as in complex prior art distribution systems for digital works. Thus, the 
content file is not transmitted to the client computer system 1 8 with usage control 

25 information. 

The data structures of the tables of the database 20 described above are exemplary. 
Other data structures may be used with different tables for storing the information described 
therein. 

From the foregoing description, it will be apparent that an improved system for 
30 protecting information over the Internet has been provided. Variations and modifications of 
the herein described system and other applications for the invention will undoubtedly suggest 
themselves to those skilled in the art. Accordingly, the foregoing description should be taken 
as illustrative and not in a limiting sense. 
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5. The system according to Claim 2 wherein said key sending means only send 
said key to said second computer system a certain number of times. 

6. The system according to Claim 1 wherein said display enabling means at said 
second computer systems is provided by viewer software installed at the second computer 
system, and said registering means is enabled when said viewer software is installed. 

7. The system according to Claim 1 wherein said sending means, and display 
enabling means are enabled by viewer software installed at the second computer system. 

8. The system according to Claim 7 wherein said viewer software is 
automatically executed in response to executing a program received by said second computer 
system via the network. 

9. The system according to Claim 1 wherein said second computer systems have 
a display, and said display enabling means provides for playing said content information is a 
window on the display. 

10. The system according to Claim 9 wherein said display enabling means 
disables playing of said content information in said window when the user of the second 
computer system selects another window on the display. 

1 1 . The system according to Claim 10 wherein said display enabling means places 
a protection image in the window when said playing of said content information in said 
window is disabled. 

12. The system according to Claim 1 wherein said first computer system 
comprises one or more server computers and a database coupled to at least one of said server 
computers containing at least information defining the registered second computers. 

13. The system according to Claim 1 wherein said second computer systems each 
have means for interfacing to said network and capable of connecting to said first computer 
system at one or more network addresses. 



f 
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computer system to operate responsive to the user of the second computer system to prevent 
copying of the content information when said received content information is being 
displayed. 

1 8. The method according to Claim 1 7 wherein said content information sent to 
said one of said registered second computer systems is encrypted, said method further 
comprising the steps of: 

requesting at said second computer system a key from said first computer system for 
decrypting said received encrypted content information; 

sending from said first computer system a key to decrypt the encrypted content 
information to the second computer system which requested the key; and 

decrypting at the second computer system the encrypted content information in 
accordance with the received key, in which said second computer system when displaying the 
decrypted content information ignores signals from the user interface capable of enabling 
access to the decrypted content information. 

19. The method according to Claim 1 8 further comprising the step of selecting one 
or more of said registered second computer systems to display the content information, and 
said key sending step only sends said key to the preselected second computer systems which 
requested the key. 

20. A method for conducting a survey at a computer connected to the Internet 
comprising the steps of: 

sending a survey to the computer via the Internet which references a network address 
to obtain a file for said survey; 

downloading said file from said network address in which said file is encrypted; 

requesting a key to decrypt said encrypted file from a network address where said key 
is available; 

receiving a key at the computer when said computer is associated with a participant 
selected to take said survey; and 

decrypting the file in accordance with said key and playing the decrypted file as part 
of the survey. 



21. 



The method according to Claim 20 further comprising the steps of: 
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each of said computer systems having a display and a user interface in which, when 
said file is played, signals from the user interface at the second computer system are ignored 
which enable access to the decrypted file, and when another window is selected than the 
window displaying the decrypted file, disables the playing of the decrypted file. 

27. An Internet web site for supporting concept surveys which are capable of 
connecting to one or more client computer systems comprising: 

one or more computer servers capable of connecting to the Internet in which said 
client computer system are registered with said web site; and 

a database coupled to one or more of said servers which stores encrypted information 
files representing parts of one or more surveys and their associated keys, in which said web 
site is capable of sending said encrypted information file to registered client computer 
systems for carrying out a survey received by said client computer systems, and sending a 
key to decrypt an encrypted information file to one of said registered second computer system 
when said second computer system is authorized to receive the key to enable the client 
computer system to play the information file as part of the survey. 

28. A system for protecting over the Internet viewed information received by one 
of a plurality of computer systems as part of a survey, said system comprising: 

a web site connectable to each of the computer system in which said web site has a 
database storing encrypted content information and keys to decrypt the content information; 

means for providing to each of the computer system from the web site a first 
identifier associated with a viewer; 

means for registering each of the computer systems with the web site based on the 
first identifier provided from the web site and a second identifier uniquely identifying the 
computer system and storing in said database said first identifier in association with said 
second identifier; 

means for inviting participants to take the survey associated with a unique third 
identifier in which said participants represent one or more of the registered computer 
systems; 

means for providing to one of the computer system a file containing encrypted 
content information having a unique fourth identifier; 

means at each of the computer system for receiving the survey and receiving the 
encrypted content information from the web siie associated with the survey; 
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